Setting Up Certificate Authentication for an Azure Connection

This topic covers the process of setting up certificate authentication for an Azure AD Connection. In short, the process is:

  1. Either acquire or generate a certificate. Either way, you will need:

    • A PEM file containing the certificate's public key, for uploading to Azure AD.

    • A PFX file containing the certificate's private key, and the password (if any) and common name (if any) used to create that PFX file.

  2. Register the RunMyJobs application with Azure AD. This will involve uploading the certificate's PEM file to Azure.

  3. In RunMyJobs, create an Azure AD Connection that uses Certificate authentication. Upload the PFX file, and enter the password that was used to generate it.

Creating a Certificate with OpenSSL

Note: This section explains how to create a self-signed certificate. However, Redwood recommends using a certificate that has been signed by a trusted Certificate Authority.

To create a self-signed certificate using openssl:

# Generate an RSA private key to use for signing the new certificate
$ openssl genrsa -out key.pem 2048

# Generate a new certificate request and sign it with private key
$ openssl req -new -sha256 -key key.pem -out requ.csr

# Use certificate request to generate a new self-signed certificate that is valid for a year.
# Output cert.pem is public key of the new certificate that will be uploaded to 
# Azure AD Application in Azure Portal.
$ openssl req -x509 -sha256 -days 365 -key key.pem -in requ.csr -out cert.pem

# Generate private key (cert.pfx) of the new certificate that will be uploaded to the Azure AD Connection in RMJ.
# NOTE: The password you use to sign this PFX must be set on the Azure AD Connection as well.
$ openssl pkcs12 -export -inkey key.pem -in cert.pem -out cert.pfx

This will generate files named cert.pem and cert.pfx. You will use these files in the following section.

Registering the RunMyJobs Application with Azure AD

To register RunMyJobs as an application with Azure:

  1. Navigate to https://aad.portal.azure.com.
  2. On the left, click Azure Active Directory.
  3. On the left, choose App registrations.
  4. Enter a name in the Name field,
  5. Click Register.
  6. Click Certificates & secrets, choose Upload certificate and browse to your PEM certificate.
  7. Store the Application (client) ID (Client ID) and Directory (tenant) ID (Tenant ID) for future use and choose Add Permissions.
  8. Under What type of permissions does your application require, choose Application permissions.
  9. Assign the required permissions to the app and choose Add permissions. (You can change these later if you need to; for more information, see the Azure documentation.)